Monday, 2 February 2015

As more and more biometric solutions are deployed to
mainstream digital services, questions surrounding the privacy and security
implications of biometrics are increasingly being asked.

With the growth of biometric technology and its
expansion on to consumer digital services, privacy and security concerns are
correspondingly growing.

As biometric data is being captured and stored on a
wide range of smart mobile devices (SMDs) including Apple’s iPhone and iPad,
Samsung Galaxy and Huawei smartphones, or stored in cloud-based biometric
databases there are inevitably questions as to how this incredibly personal
data of ours is being protected.

There is much debate about the relative merits of these
two trust models; is the device-centric approach that Apple and FIDO employed
too restrictive a model? And can I trust the security of a database (cloud-based)
biometric solution?

How, and where, is my biometric data being stored? Who
has access to it? How well is it protected? When I enrol my fingerprint on my
smartphone, is it stored in secure hardware and does it ever leave the security
enclave? What legislation and regulation is in place to cover the privacy and
security aspects of biometric technology?

These are all valid questions that citizens, service
providers, biometric technology vendors, governments and hardware manufacturers
need to answer.

Regulation is still playing catch up with the
proliferation of biometric authentication and identity systems and in many
regions there is little control on how biometric data is captured, stored and
accessed. This is an alarming situation.

In a number of regions including the European Union
(EU), biometric data is beginning to be considered as personal data and as
such, is governed by data protection and privacy legislation.

In the case of the EU, protection of privacy and
personal data is covered by the Data Protection Directive of 1995 (officially
Directive 95/46/EC). The directive relates to the protection of individuals
with regard to the processing of personal data and on the free movement of such
data.

In April 2012, the Article 29 Working Party issued an
‘Opinion’ in biometric technologies with particular attention to fingerprints,
vein patterns, facial, voice recognition, DNA and signature biometrics.[1]
The Opinion aims to provide a framework of recommendations and guidelines for
the implementation of data protection rules in biometric applications.

The Opinion has a number of recommendations (legal and
technical) related to biometric data. These include suggestions on user consent,
contract and the concept of “privacy by design” for biometric systems.

In other regions including Australia, Canada and the
USA, there is federal and state data protection legislation that could be applied
to biometric data but nothing specific (although there have been attempts to
integrate biometric data into general data protection legislation in
Australia).

In addition to federal and state data protection
legislation there must be specific regulation and guidelines from a sector
perspective. The financial services market is one sector that has a decent track
record on data protection and identity (including authentication) matters and
there are references in the EU’s Payment Services Directive II. The Payment Service Directive II
regulates payment services and payment service providers such as banks within
the EU and recommends “various due diligence procedures in regard to the safety
of personalised security features of payment authentication instruments.”

The new Directive
on Payment Services II which might possibly be approved in 2015 suggests that a
biometric authentication system is deemed secure and advisable. The Directive
recommends the use of `strong user authentication’ which is defined by the
European Central Bank (ECB) in its “Recommendations for the security of
internet payments” document.[2]
The report defines strong user authentication as “a procedure based on the use
of two or more of the following elements– categorised as knowledge, ownership
and inherence: (i) something only the user knows, e.g. static password, code,
personal identification number; (ii) something only the user possesses, e.g. token,
smart card, mobile phone; (iii) something the user is, e.g. biometric
characteristic, such as a fingerprint".

Fingerprint biometric authentication has been one of
the fastest growing authentication technologies ever, offering a convenient
method for authenticating users especially on smart mobile devices. It is not
the only biometric method that will gain widespread adoption. I am a big fan of
behavioral biometrics, especially for financial services as it fits well into existing
anti-fraud and risk management solutions that are often used by financial
companies. It can also complement existing authentication and biometric
authentication solutions in enabling service providers to have a much more
accurate mechanism of proving that a particular device or web session is
actually being used by the legitimate user; rather than in the hands of a fraudster.

Behavioral biometrics is based on a behavioral trait of
an individual and includes how individuals uniquely interact with a device – be
it a smartphone or a laptop accessing a website. Behavioral traits include
keystrokes and interactions with a touchscreen.

Goode Intelligence
has just published a white paper commissioned by behavioral biometrics
specialist, BehavioSec investigating the impact of privacy and data protection
legislation on biometric authentication and it is available free to download here.

As always, I
welcome your thoughts and opinion on this blog and on the contents of the white
paper.